The ‘General Data Protection Regulation’ (GDPR) was introduced by the European Union and will take place regardless of the UK’s departure from the EU. As an agency that deals with websites where data is collected, it is important that we are aware of these and we inform our clients accordingly.
Are you ready for GDPR?
News Are you ready for GDPR?
Have you heard of GDPR?
You may or may not be aware of the upcoming GDPR rules governing the handling of personal data, due to come into force in May 2018. The ‘General Data Protection Regulation’ (GDPR) was introduced by the European Union and will take place regardless of the UK’s departure from the EU. As an agency that deals with websites where data is collected, it is important that we are aware of these and we inform our clients accordingly.
In a nutshell, these regulations will replace the existing ones with regard to how companies collect, store and use personal information. Fundamentally, the GDPR rules aim to give control back to the ordinary people when it comes to their personal data, by creating an EU-wide, consistent data protection regulation. In order to do this, tighter controls must be introduced over those who host and process such data. As most websites also collect data, GDPR will affect all of our clients with website databases and webforms.
What does GDPR Cover?
The legal right of people to access, correct, delete or transfer personal information held about them on any company system.
The requirement for citizens to provide explicit consent for their personal data to be held, after which companies must save this consent.
The legal obligation for organisations to inform the relevant data authorities and consumers, within 72 hours of breaches to data security.
Does my company have to comply?
Every EU company regardless of size has to comply, even agencies like ours!
The penalties for non-compliance can be very severe, to put it mildly.
Provisions in the GDPR stipulate that fines of up to 4% of a company’s annual turnover (or up to 20 million euros, depending on whichever is highest) can be ordered where violations are serious. What constitutes a ‘serious’ violation is unknown right now but doesn’t stop it from being the law.
Regarding GDPR and websites which is the main focus for us, the new regulations now make the people in charge of website planning or data input responsible too, rather than just the website owner or web hosting company, thus covering a much larger array of people. This means that everyone involved in the process must take some responsibility for considering GDPR in their planning processes.
It is therefore a good idea to work with professional agencies like ourselves who can help you adapt your website to meet the regulations.
What practical steps do I need to take to comply and how does it affect my website?
In order to comply companies which handle personal data must now fully understand exactly what kind of information they hold, where they hold it and who has access to that data. To establish this, a company-wide data audit is recommended and ideally, this will be carried out as soon as possible so these issues can be identified early.
It is important that all employees who have previously handled personal data, or will in the future, are made aware of these new regulations. Such employees should fully understand the provisions and what they will mean for the organisation. This includes ALL workers, not just those in senior positions and as such, GDPR training sessions are a good idea in helping uninformed personnel comprehend these new rules.
Moving forward, companies should update their existing data protection policies and practices and seek to put in place rigorous schemes to govern them. There should also be a system to quickly notice and respond to any data breaches.
Furthermore, companies will need to appoint a dedicated Data Protection Officer; an individual who is responsible for all company-wide personal data. It is obviously a no-brainer that you should look to appoint someone who has expertise in data protection and GDPR in particular or at least the person most familiar with it for small companies where it seems like a minefield.
Specifically talking about websites, any contact points on the website that collect personally identifiable data needs to be shown clearly as to the reason the data is being collected, and not to assume the consent of the consumer that they wish to opt in to further communications or have their data stored longer than strictly necessary. In real terms, this means that for example a newsletter subscription box that has an email address field and a submit button needs to now have distinct Yes / No buttons to choose from, and also a disclaimer that details what the data is being collected for, and how it will be used including if it is to be shared with any third parties.
This same theory needs to apply to all collection forms throughout the website even in e-commerce checkouts. A good example is shown below where the contact permission section has been updated to be GDPR compliant and all assumed consent or non-consent is removed.
While SO Marketing cannot give actual legal advice on GDPR, we can help clients with suggestions regarding gearing up for their Web Design GDPR needs and can also help implement the required actions at the lowest cost possible.